@kwiki- You are on the right track on using streamstats.  But I would just run two searches and compare the results, it would be much easier to write query for. Here it is: index=myindex sourcetype=trans response_code!=00 earliest=-3d@d latest=-2d@d | stats count as error_count_3_days_ago | append [| search index=myindex sourcetype=trans response_code!=00 earliest=-2d@d latest=-1d@d | stats count as error_count_2_days_ago] | stats first(*) as * | eval perc_increase = (error_count_2_days_ago-error_count_3_days_ago) / error_count_3_days_ago)*100, 2) | where perc_increase>3 | table perc_increase ( I have not tested the query, but logic is to append data data together and compare)   I hope this helps!!!! ... View more